Web Application Firewall (WAF)

A WAF, or web application firewall, helps protect web applications by filtering and monitoring HTTP traffic between the web application and the internet. It typically protects web applications against attacks such as cross-site forgery, cross-site scripting (XSS), file inclusion, and SQL injection. A WAF is a protocol layer 7 defense (in the OSI model) and is not designed to defend against all types of attacks. This approach to attack mitigation is often part of a suite of tools that together create a holistic defense against a range of attack vectors.

By deploying a WAF in front of a web application, a barrier is placed between the web application and the internet. A proxy server protects the identity of the client machine by using an intermediary, while a WAF is a type of reverse proxy that protects the server from being exposed by having the client go through the WAF before reaching the server.

WAFs operate through a set of rules commonly called policies. These policies are designed to protect against vulnerabilities in applications by filtering out malicious traffic. Part of the value of a WAF comes from the speed and ease of policy modification, allowing for faster responses to different attack vectors; during a DDoS attack, rate limiting can be quickly enforced by modifying WAF policy.

What is the difference between Blocklist and Allowlist WAFs?

A WAF that operates on a block list (passive security model) is protected against known attacks. Think of a blacklisted WAF as a club bouncer ordered to deny entry to guests who do not meet a dress code. In contrast, an allowlist-based (active security model) WAF only allows in traffic that has been pre-approved. It's like a bouncer at a senior party, he or she only lets in those on the list. Both blocklists and allowlists have their advantages and disadvantages, which is why many WAFs offer a hybrid security model that achieves both.

What are network-based, host-based and cloud-based WAFs?

A WAF can be implemented in three different ways, each with its own advantages and disadvantages:

• Web-based wafers are usually hardware-based. Since they are installed locally, latency is minimized, but network-based WAFs are the most expensive option and also require physical equipment for storage and maintenance.

• Based on the host chip can be fully integrated into the application software. This solution is less expensive than a web-based WAF and offers more customizability. The disadvantages of host-based WAFs are consumption of local server resources, implementation complexity, and maintenance costs. These components often require engineering time and can be expensive.

• Cloud-based WAFs offer an affordable option that's surprisingly easy to implement; they often offer turnkey installations that are as simple as changing DNS to redirect traffic. Cloud-based WAFs also have minimal upfront costs, as users pay monthly or annually for security-as-a-service. Cloud-based WAFs can also provide a solution that is continuously updated to protect against the latest threats without any additional effort or cost on the user end. The downside of a cloud-based WAF is that the user hands over the responsibility to a third party, so some features of the WAF can be a black box to them. (A cloud-based WAF is a type of cloud firewall; learn more about cloud firewalls.)